From Splunk Wiki

(Redirected from Apps:Fraud)
Jump to: navigation, search

This page lists some use-cases in the area of fraud detection that could be implemented in Splunk. Currently there is no application that would do this out of the box, These are all ideas for how to detect fraudulent behavior with Splunk. Also note that fraud generally relies heavily on the application logic and is very specific to the applications at hand:

  • Perform historical investigation based on userID, IP address and/or transaction information from daily transaction logs or otherwise captured transaction information.
    • Capability to query for IP address associated with the questioned transaction using log file data as search criteria
  • Detect logins from specific geographic locations, as determined by source IP address
  • Detect location changes by configurable threshold based on user history
    • Logins from different geographic regions from one userID during a finite time period are detected
  • Simultaneous sessions by a single user
  • User password changed from abnormal location – based on existing history of user
  • Malicious URLs
    • Cross-site scripting, SQL injection, Session hijacking, etc.
  • Speed of transactions threshold – too quick to be human interaction
  • Grouping of sessions by userID/IP address
    • Single company with multiple users may need to be considered as one entity for analysis purposes
  • Logon and logoff analysis
  • Detect change in logon time or application use based on user history
  • Ability to create custom filters or policies to detect abnormal activity
    • A static policy/filter with a list of triggers or pre-defined criteria
    • A dynamic policy/filter based on pattern recognition
    • For example a querying for reports on consecutive social security numbers
    • A custom policy that would trigger an alert based on an incident or series of events instead of just one event
  • Multiple failed logins from a single source/multiple sources, etc.
  • Ability to create custom business rules for monitoring application performance and usage
    • Example: number of SSN’s requested, account changes, multiple accounts using the same contact information transaction types
  • Report top ‘suspicious’ accounts with trending and drill-down for details
  • Customizable reporting
    • Excessive activity on one record
    • Failed login activity and trending
  • The ability to manage SSL certificates and encrypted sessions
  • Must provide audit trail and reporting capabilities
  • Allow for secure backup and restoration of critical information
Personal tools
Hot Wiki Topics

About Splunk >
  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk